TunnelCrack: Discovering Flaws in VPN Security

Virtual Private Networks (VPNs) have become synonymous with online privacy and security, providing an encrypted tunnel for your data as it travels across . They are designed to keep your online activities safe and away from prying eyes. But what happens when the very tool designed to protect your privacy becomes a conduit for attacks? Meet “TunnelCrack”, a shocking revelation that has sent shockwaves through the cybersecurity world.

A research team led by Nian Xue from New York University has uncovered two major vulnerabilities in VPNs that have been lurking undetected since 1996. These weaknesses, which exist in almost every VPN product on all platforms, can be exploited to leak and reading user traffic, stealing information or even launching attacks on users' devices.


The vulnerabilities were named “LocalNet” and “ServerIP”. While iOS, iPads, MacBooks and macOS are most likely to be affected, Windows and Linux are not completely immune. Android appears to be the safest, with only about a quarter of VPN apps being vulnerable.

LocalNet attacks exploit routing exceptions in VPNs, specifically the rules that allow traffic to and from local networks and the VPN server. An attacker can trick the VPN client and send traffic outside the secure tunnel by manipulating these exceptions.

An example is the attacker creating a malicious Wi-Fi network (eg “starbucks”) and assigning a public IP address and subnet to the victim. The victim's traffic, instead of passing through the secure tunnel, is sent outside, making it easy prey for interception.


Most shockingly, all VPN apps on iOS and almost all on macOS were found to be vulnerable. Windows, Linux and Android also showed varying degrees of vulnerabilities.


ServerIP attacks take a different but equally effective approach. Here, the attacker spoofs the IP address of the VPN server. By modifying the DNS response, the attacker redirects the victim's traffic to the wrong IP address.

The victim's requests to specific websites are then sent outside the protected VPN tunnel, leaking the page's request.

Cybersecurity researchers have released guides and scripts to help users assess whether their VPN service is affected by the TunnelCrack vulnerability.

Windows, macOS and iOS built-in VPN clients were found to be more vulnerable to this type of attack, while Android 12 and newer versions remain unaffected.

A number of VPN providers have already patched these vulnerabilities, including Mozilla VPN, Surfshark, Malwarebytes and Cloudflare's WARP. Users can also take steps such as disabling local network access or ensuring HTTPS is used to mitigate these attacks.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).